Log360 UEBA Release Notes

Enhancement

1. Vulnerable JARs identified in Log360 UEBA have been upgraded to improve security.

Fix

1. Log360 UEBA now supports Event Observer component in place of the depreciated Event Listener used in web browsers. This will ensure accurate report graph generation

Vulnerability fix

1. The PostgreSQL version has been upgraded from 10.21 to 14.12 to address a vulnerability related to PostgreSQL 10.21's end-of-life status.

Fixes

1. CVE-2023-46604 vulnerability fix: A security vulnerability with ActiveMq that can lead to remote code execution (CVE-2023-46604) has been patched. The ActiveMq version has been updated, and enhanced JMX authentication measures have been enabled.

Enhancements

1. Fetching events of AWS Reports from EventLog Analyzer: AWS events will now be fetched from EventLog Analyzer instead of Cloud Security Plus.

Fixes

1. An issue with adding custom reports from EventLog Analyzer when creating custom models has been fixed.
2. A security vulnerability reported by Aon Cyber Labs that caused server-side request forgery (SSRF) has been fixed.

New Feature

1. Support for Incident Workbench feature: This release includes the introduction of new APIs in Log360 UEBA to support the Incident Workbench feature in EventLog Analyzer. You will now be able to track anomalous user actions and view user risk scores within EventLog Analyzer.

New Feature

1. Real Time Anomaly Detection: You can now configure real-time anomaly detection for EventLog Analyzer reports. This will help detect behavioral threats as and when they occur, and you can defend your network from cyber risks proactively.

Fixes

1. CVE-2024-21733 vulnerability fix: A security vulnerability (CVE-2024-21733) that existed in older versions of Apache Tomcat has been patched. The upgraded version of Apache Tomcat is used now.

Fixes

1. Updating the PPM signer certificate: This release, which includes an integrated Delta agent, will automatically update the expiring PPM signer certificate with a new one, and help you in seamless application of the upcoming service packs.

   Important instruction: For customers who have enabled SSL connection, follow the below steps before restarting your UEBA instance after PPM installation (4055 build).

   • Navigate to <Home>/Log360UEBA/conf/
   • Open system_properties.conf file and add the below text at the end "product.keystorepass.encrypt=true"
   • Start the UEBA Instance.

Hot fixes

1. CVE-2023-5072 Vulnerability fix: This release fixes the security vulnerability (CVE-2023-5072) associated with JSON Java library that might lead to Denial of Service.

New feature

1. Smart Threshold for alerts: Users will have the option to choose between manual and Smart Threshold while configuring alert profiles. Smart Threshold obtains the threshold value automatically by analyzing the usual number of events occurring in the given time using machine learning algorithms. This will help reduce the false positives and increase the true positives, as the ML algorithms constantly observe anomaly behavior and update the Threshold value.

Enhancements

1. License details now displays the support type. The two support types are Classic, and Premium.
2. The support page has been updated to display contact details based on the support type.

New features

1. Premium support: Log360 UEBA now comes with Premium support option. In addition to the services included in default Classic support, Premium support gives customers a single point of contact, quicker turnaround time, 24-hour multi-channel assistance including telephone support and more.

New Features

1. Notification template for scheduled reports and alert profiles: Users will have the option to create customized notification templates for scheduled reports and alert profiles. This will allow the users to configure a custom message and the recipients list to whom the notification must be sent.
2. Two-Factor Authentication for user logon now supports authentication via SMS verification. Users can configure the SMS server from the server settings section.
3. Mail server configuration now supports authentication via OAuth and API methods.

Vulnerability Fix

1. A vulnerability(CVE-2023-35785) that will lead to two-factor authentication bypass has been fixed. The vulnerability was reported by dalt4sec through our bug bounty program.

New Feature

1. User Identity Mapping: Users can create and manage mapping configurations to link user identities across various domains in a network. This helps UEBA to determine the activity of a single user across multiple domains and correlate these activities to identify anomalies.

New Features

1. Log360 UEBA's new release now lets you configure Static peer group configuration. This configuration groups users based on the attributes set for them in your AD environment. Log360 UEBA provides a list of 7 default attributes from which you have to configure atleast one to enable Static peer group configuration.

New Features

1. Log360 UEBA's new release allows you to configure a ticketing tool of your choice. Besides assigning technicians to alerts within UEBA, now you can configure alerts to be raised as tickets automatically in the configured ticketing tool.

   The supported ticketing tools are as follows:

   • ManageEngine AlarmsOne
   • Jira Service Desk (Cloud and On-prem)
   • ServiceNow
   • Kayako and
   • Zendesk
2. We've introduced a new product notification feature which posts a notification within the product UI to update the user on any major security fixes or upgrades.
3. We've also made a few fixes to the security issues that were present.

Fix

1. Minor bug fixes

New Feature

1. Data masking for auditors: Administrators will have the option to mask users' identities from auditors. This will help maintain the privacy of users in the network. Auditors may only need to know the risk levels of different users and entities, and may not need to know who the user or device actually was. Details like user name, host name, IP address, and more can be masked. To the auditor, the masked data will appear as a random code.
2. Resolving masked data: Administrators can provide the masked value and Log360 UEBA will provide the original identity of the user, host, IP address, etc.
3. Mapping of users and entities: Every user will be mapped to the top entities they are associated with. These top entities would be devices or hosts that the user is known to use. With this feature, administrators will be quickly able to see within each user's profile if they are associated with an entity they are not expected to use.
4. Deep linking for users and entities: A link will be provided to the user's or entity's profile from different areas within Log360 UEBA such as Reports, Alerts, Watchlisted Users and Watchlisted Entities. This will help Administrators navigate efficiently and conduct their investigations.
5. Exporting Alerts: Alerts for a chosen time range can be exported as CSV, PDF, XLS and HTML report formats. This will help administrators submit the reports to management and aid intelligent decision-making. Administrators can also review the history of alert exports.
6. Server diagnostics and disk space analysis: Administrators can review information about the general health, setup, memory, installation and disk space details of Log360 UEBA. This will ensure that the product is working at the optimal level.

Vulnerability Fix

1. Mitigation of the Log4j vulnerability [CVE-2021-44832]: Log360 UEBA now uses Log4j version 2.17.0, which removes support for message lookup patterns and disables JNDI functionality by default. This fixes the Apache Log4j remote code execution security vulnerability.

Vulnerability Fix

1. Mitigation of the Log4j vulnerability [CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105]: Log360 UEBA uses Log4j version 2.9.1, which can potentially be affected by the Apache Log4j remote code execution security vulnerability. We have fixed this issue as Log360 UEBA now uses Log4j 2.17.0 which removes support for message lookup patterns and disables JNDI functionality by default.

New Feature

1. Contextual risk scoring: A contextual risk score will be provided along with average and peak risk scores, for specified time ranges. The contextual risk score will consider the subsequent anomalies after the specified time range to provide a more dynamic measure of the risk.
2. Add Active Directory groups to a watchlist: An Active Directory group can be selected at one go, to add all users within it to a watchlist.
3. Set all users within an Active Directory group as "Technicians": An Active Directory group can be selected at one go, to set all users within it as Technicians.
4. Configure alerts based on Active Directory group: An Active Directory group can be selected as a whole while configuring an alert. This will lead to all the users within the group to be configured for the alert.
5. Two-factor authentication: Two-factor authentication can be set up for added security during logons. It can be enabled for these methods: Email verification, Google Authenticator, RSA SecurID, Duo Security and RADIUS Authentication.

Enhancements

1. Enhancements to dashboard queries: Earlier the dashboard was loaded after queries to the database. Now the frequently displayed information will be cached in product memory, eliminating some database queries. This will reduce the time to load the dashboard.
2. Performance enhancements while analyzing count anomalies: All the anomalous activities based on count will be fetched from the Log360 component (ADAudit Plus, EventLog Analyzer or Cloud Security Plus) directly, instead of from Elasticsearch. This will save the dump time. In addition, it will also reduce the disk space requirements.
3. Clear failure notifications: Failure notifications will be given in case of exceptions. The user will get to know the reason for the failure.
4. Global search for users and entities: Global Search will allow you to search for any user or entity. Clicking on the user or entity will take you to the associated dashboard.
5. Splitting long patterns while displaying pattern anomalies: Pattern anomalies will be displayed after splitting long patterns into chains of length 2. This will be done only if the analysis of the long pattern takes more than two minutes to complete. By doing this, the file size will reduce and performance speed will increase.

New Feature

1. Anomaly modeling for comprehensive analysis: Earlier, only predefined anomaly models built on specific reports from ADAudit Plus, EventLog Analyzer and Cloud Security Plus were available as reports under Custom Reports. Now, custom anomaly models can be built based on any report from these three components. The custom anomaly models that are built will be available as custom reports within Log360 UEBA.

Security Enhancements

1. Prompt for a secure connection: When logging on to Log360 UEBA, users will be prompted to enable HTTPS connection in case they have not done that yet. The user can also enable HTTPS connection from the Product Settings page. An HTTPs connection increases security.
2. Alert to change default admin account password: When logging on to Log360 UEBA, the default admin will be prompted to change the default admin password in case they have not done that yet. The admin can click on "Change Now" to be redirected to the Change Password page. This will enhance security.

Enhancement

1. Archival of count anomaly details: Details about count anomalies older than 30 days will now be archived along with other anomaly details. This will help save disk space.

New Feature

1. Peer grouping of users: Based on observed past behavior, users will be automatically placed in distinct peer groups. A specific user can belong to multiple peer groups. The peer group will be considered when calculating the anomaly confidence level and this will in turn affect their risk score. This will provide better security context and decrease false positives.

Enhancement

1. Ability to add notes about users and entities: Security analysts can now select any user or entity from the Users' or Entities' Dashboard, and add or update notes about them. The analyst entering the note and the timestamp will also be recorded. Notes help the security team to document and share their findings.

Security Enhancement

1. Protection from erroneous product updates: To protect against an erroneous or malicious PPM file from being applied during product updates, PPM and DLL signing will now be performed. This will enhance security and integrity.

New Features

1. Anomaly visualization: Users can now see a graphical representation of every analyzed anomaly. This will show how far apart the observed values are from the expected values.
2. Hiding users and entities from dashboard: Specific users and entities can now be hidden from the dashboard. This may be used in cases where a user or entity is deemed to be trustworthy.
3. Logon anomalies: Anomaly details and risk scores will now be provided for logon anomalies, a new category of threat.

Enhancements

1. Apache struts framework is no longer used: Vulnerability caused due to Apache Struts has been fixed (Apache Struts dependency has been removed).
2. Analysis of anomalous events in bulk: The solution now supports the analysis of anomalous events in bulk rather than as single events. This will translate into improved performance.
3. Improved design for exported reports: All anomaly reports exported as HTML, XLS and PDF files will now feature a new and improved design.

New Features

1. PAM360 Integration: Log360 UEBA now integrates closely with ManageEngine PAM360 to analyze anomalies in privileged accesses.

New Features

1. Elasticsearch (ES) Archiving: Users now have the option to archive already detected anomalies in compressed index files for a period of their choice. This will improve storage utilization.
2. RunQuery for querying database: Users can now query the Log360 UEBA database by executing runQuery.do on the system that runs Log360 UEBA.

Enhancements

1. Greater visibility of data during the UEBA training period: The dashboard during the initial UEBA training period will now feature more insights into network activity.
2. XLS and HTML format for export: Users can now export reports into XLS and HTML formats, apart from PDF and CSV formats.
3. AD thumbnail photo sync for users profile picture: The users' photo stored in the ThumbNailPhoto attribute in AD can now be displayed along with their risk scores. This photo will be made available due to a sync with Active Directory.
4. Memory update: The memory allocated to the product and ES can now be updated from the product settings tab.

New Features

1. Alerts: Real-time email notifications can now be sent for detected anomalies and high risk scores.
2. Global Search: Users can now search across all sections of the UEBA component including reports, settings, and the help documentation for the required details.

Enhancements

1. Manage Reports: Management of categories, groups, and reports is now easier with the Manage Reports option.
2. Option to add log level filters to set the severity level for the logs collected.

Fix

1. The authentication bypass vulnerability (CVE-2020-24786), identified by Florian Hauser, has now been fixed.

Features

1. Risk score customization: Risk score can now be customized based on the extent of deviation from the baseline of the regular activities of a user, and also the requirements of the organization.
2. Cloud Security Plus integration: Integrated with Cloud Security Plus to ensure real-time monitoring of your cloud platform.

Enhancements

1. Enhanced reports page: You can now select the desired device from the drop-down and get advanced reports for them. Additionally, few new reports have also been included.

New Feature

1. Active Directory-based authentication: Users can now log into the Log360 UEBA console using their Active Directory domain credentials.

New Features

1. Spot anomalies in AD activities including logons, user activity, account lockouts, and more.
2. Schedule reports: Reports can be scheduled to be generated at specific intervals and emailed to stakeholders or stored at a specified location.
3. The UEBA module supports Chinese and Japanese.

Enhancements

1. The performance of the machine learning algorithms have been enhanced with Redis.
2. Support of Microsoft SQL Server as the backend database.
3. The dashboard has been enhanced for better user experience.